From 59b813401500eeaee8ad7bb067c45a06c7ed1670 Mon Sep 17 00:00:00 2001 From: Philip Olson Date: Fri, 8 Jun 2012 00:11:47 +0000 Subject: [PATCH] Documented that setting the character set via an SQL query will not be useful to real_escape_string. This closes PHP Bug #54605 git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@326022 c90b9560-bf6c-de11-be94-00142212c4b1 --- .../mysql/functions/mysql-real-escape-string.xml | 15 +++++++++++++++ reference/mysqli/mysqli/character-set-name.xml | 1 + reference/mysqli/mysqli/real-escape-string.xml | 14 ++++++++++++++ 3 files changed, 30 insertions(+) diff --git a/reference/mysql/functions/mysql-real-escape-string.xml b/reference/mysql/functions/mysql-real-escape-string.xml index d3270c13f5..308d4764cd 100644 --- a/reference/mysql/functions/mysql-real-escape-string.xml +++ b/reference/mysql/functions/mysql-real-escape-string.xml @@ -40,6 +40,20 @@ This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. + + + Security: the default character set + + Always set your character set at the server level, or with mysql_set_charset. + + + mysql_real_escape_string will take into account the character set + if it is set by either the MySQL Server (e.g., via its default-character-set directive) + or from mysql_set_charset. But, it will not use the character set that is set with + an SQL query, like as a SET CHARACTER SET ... or SET NAMES ... query + with mysql_query. + + @@ -159,6 +173,7 @@ SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' &reftitle.seealso; + mysql_set_charset mysql_client_encoding addslashes stripslashes diff --git a/reference/mysqli/mysqli/character-set-name.xml b/reference/mysqli/mysqli/character-set-name.xml index 86f923e672..947071779f 100644 --- a/reference/mysqli/mysqli/character-set-name.xml +++ b/reference/mysqli/mysqli/character-set-name.xml @@ -98,6 +98,7 @@ Current character set is latin1_swedish_ci &reftitle.seealso; + mysqli_set_charset mysqli_client_encoding mysqli_real_escape_string diff --git a/reference/mysqli/mysqli/real-escape-string.xml b/reference/mysqli/mysqli/real-escape-string.xml index 3c4b231199..3c5f229d4e 100644 --- a/reference/mysqli/mysqli/real-escape-string.xml +++ b/reference/mysqli/mysqli/real-escape-string.xml @@ -29,6 +29,19 @@ SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection. + + Security: the default character set + + Always set your character set at the server level, or with mysqli_set_charset. + + + mysqli_real_escape_string will take into account the character set + if it is set by either the MySQL Server (e.g., via its default-character-set directive) + or from mysqli_set_charset. But, it will not use the character set that is set with + an SQL query, like as a SET CHARACTER SET ... or SET NAMES ... query + with mysqli_query. + + @@ -155,6 +168,7 @@ Error: 42000 &reftitle.seealso; + mysqli_set_charset mysqli_character_set_name